Apparently OpenVAS originated as a fork of Nessus. It is very easy to install and use OpenVAS because it's, well, open. However, am I kidding myself if I just use that instead of Nessus? Should I be using both, or if I use Nessus then is OpenVAS surplus to requirements?

To break it down into non-subjective sub-questions:
* Is openvas a superset or subset of nessus?
* Is one updated more often than the other?
* Does one have a bigger vulnerability database than the other?
* ...or are there other qualitative differences that I may be missing?

2 Answers
2

It has a better feel and management, not to mention the updates offered..
Furthermore the control of nessus via updates and usage i believe is more professional because of the proprietary model. its just easier to use

OpenVAS server is a forked development of Nessus 2.2.
The fork happened because the major development (Nessus 3) changed to a
proprietary license model and the development of Nessus 2.2.x is practically
closed for third party contributors. OpenVAS continues as Free Software under
the GNU General Public License with a transparent and open development style.

Although OpenVAS was forked, since then 2008, OpenVAS has changed into something new
with new features and functions not offered in Nessus..

For a simple desktop version assesment (1 user - small amounts of checking) - i would go with Nessus

However because OpenVAS is an open source product, people are saying its scanning abilities are a little further along than nessus.. ( i cant prove this, nor do i really believe it :P )

It is a good idea to have the ability to use both: you can tune either Nessus or OpenVAS to run 'fast scans', and given that OpenVAS is free, this allows you to run numerous on-demand scans of any kind.

Nessus may be preferred/required by some compliance auditors you interact with in the future. Some of this may be rooted in logic, but because of the open-source nature of OpenVAS combined with the common difficulty that the general security-admin public has in installing/using/maintaining it, some auditors may view it negatively without any application of logic to their conclusion.

The two-role nature becomes more relevant considering that Nessus has a cloud offering now: so you truly have the classic "expensive, easy-to-use/maintain, commercial offering" versus the "free, harder-to-use/maintain, open-source version". Both definitely can be used together, and in a production environment this could translate into